Summary
A skill scan reports two lower-severity cleanup items that may be worth addressing for policy/scanner compatibility:
- setup docs contain a
curl ... | sh example
SKILL.md does not include a license field in frontmatter
Affected paths
plugins/railway/skills/use-railway/references/setup.md:1
plugins/railway/skills/use-railway/SKILL.md
Why this is getting flagged
curl ... | sh is a standard convenience install pattern, but scanners often flag it because it downloads and immediately executes remote code.
- Missing manifest metadata is not a security issue, but it can still show up in policy checks.
Suggested fix
- Consider documenting a safer alternative alongside the one-line installer, such as downloading first and inspecting before execution.
- Add a
license field to SKILL.md frontmatter if appropriate.
Reproduction
skill-scanner scan <path-to-use-railway> --lenient --format markdown --detailed
Note
These are lower-priority than the SQL and prompt-wording findings, but they are straightforward cleanup items.
Summary
A skill scan reports two lower-severity cleanup items that may be worth addressing for policy/scanner compatibility:
curl ... | shexampleSKILL.mddoes not include alicensefield in frontmatterAffected paths
plugins/railway/skills/use-railway/references/setup.md:1plugins/railway/skills/use-railway/SKILL.mdWhy this is getting flagged
curl ... | shis a standard convenience install pattern, but scanners often flag it because it downloads and immediately executes remote code.Suggested fix
licensefield toSKILL.mdfrontmatter if appropriate.Reproduction
Note
These are lower-priority than the SQL and prompt-wording findings, but they are straightforward cleanup items.